Mikrotik VPN – L2TP/IPSec Server for Remote Clients
If you’re looking for a quick guide for configuring a Mikrotik VPN Server, allowing remote clients to connect into your building controlled by a Mikrotik Router, you’ve come to the right place.
This guide was written for Mikrotik RouterOS v6.41 in September 2017. It presumes you have your main (edge) router as a Mikrotik device, and are NOT behind a double-NAT.
Single-Nat: Modem > Router > Devices.
Double-Nat: Modem > Router > Router > Devices. If your Mikrotik Router has a WAN IP in the ranges of: 192.168.X, 10.X, or 172.16.X, it’s a double-NAT.
Alrighty, let’s get started!
There are two parts of a L2TP Server:
- L2TP VPN Protocol – Creates the link between two locations
- IPSec Encryption – Secures and protects the link
Configure L2TP Server, under PPP (Point-to-Point Protocol)
PPP > Interface > L2TP Server Check "Enabled" to turn on the L2TP Server Default Profile: default Authentication: Check only "mschap2" Use IPsec: Yes IPsec Secret: YourPreSharedKey Caller ID Type: IP Address PPP > Profiles > Default (Create your rules for users) ##If you have multiple bridges to separate your network, create a profile for each and specify the bridge, otherwise ignore. Local Address: IP of your local Mikrotik Router (e.g. 192.168.1.1 or 10.10.10.1) Remote Address: DHCP pool DNS Server: IP of your DNS server/router or 188.8.131.52 (Google DNS) PPP > Secrets (Create your users) New (+) Name: Username Password: UsersPassword Profile: default
Configure IPSec Encryption
IP > IPsec > Peers New (+) Address: 0.0.0.0/0 (for allowing any internet IP to attempt to connect) Port: 500 Auth Method: pre shared key Exchange Mode: main l2tp Secret: YourPreSharedKey (Must match the PSK from PPP > L2TP Server) Advanced Tab Policy Template Group: default Send Initial Contact: Enabled NAT Traversal: Enabled My ID type: auto Generate Policy: port override Proposal Check: obey Encryption Tab Hash Algorithm: sha1 Encryption Algorithm: Check: 3des, aes-128 DH Group: Check: modp1024 IP > IPSec > Proposals Edit Default Auth Algorithms: Check: sha1 Encryption Algorithms: CVheck: 3des, aes-128 cbc PFS Group: modp1024
IP > Firewall > Filter Rules New (+) VPN Rule Chain: input Protocol: 17 (udp) Dst. Port: 500,1701,4500 Action: Accept Move rule higher up in the list (above any WAN block rules) IP > Firewall > NAT New (+) Chain: srcnat Out. Interface: bridge (Your internal network bridge) Action: Masquerade
Configure Client Connection
There are an infinite number of devices that can be configured. I’m going to configure the most common — A Windows 10 L2TP VPN Client, built into the Operating System.
Start > Network and Sharing Center Setup a new connection or network > Connect to a workplace (VPN) No > Create a new connection Use my internet connection (VPN) Internet Address: Your Routers WAN IP (e.g. vpn.company.com, or static IP (e.g. 184.108.40.206) Destination Name: Your name for this connection Remember my credentials: Checked Go to Adapter Settings > Right-Click VPN Connection > Properties Security > Type of VPN: L2TP/IPSec Advanced Settings> Use Preshared Key for Authentication: Enter your Pre-Shared Key from the your L2TP IPsec Secret (under PPP > Interfaces > L2TP Server). Allow these protocols: Check Only: Microsoft CHAP version 2 In Windows 10 - You have to manually re-enter the PSK and saved credentials in a separate menu.... Right-Click VPN Connection > Connect Select in list > Advanced Option > Edit VPN Type: L2TP/IPSec with Pre-Shared Key: Enter Pre-Shared Key Type of Sign-in Info Username (From PPP > Secrets) Password (From PPP > Secrets) Connect
You should now be connected to the internal LAN of your Mikrotik network. Attempt pinging devices by IP to confirm connectivity.
NETBIOS does not work through the VPN — but FQDNs do.
For example, server1 will not resolve.
Server1.domain.local will resolve
If you absolutely need to resolve by local name, create a WINS server, and assign its IP within the PPP Profile for the WINS Server field.
If you need help diagnosing your VPN connection:
System > Logging New (+) Create Three Topics: l2tp, ppp, and ipsec Action: Memory From here you will be able to see logs under "Log" and google your solution where something may need adjusting.